EU proposals for new payment services legislation

Much of the detail relating to the infrastructure needed for open banking has been moved into the PSR from the Strong Customer Authentication, Regulatory Technical Standards (SCA RTS). In doing that, it has been re-articulated in places, clarified and slightly developed. The requirements for a fall-back mechanism have been removed. In the event of a failure of the dedicated interface used by Third Party Providers (TPP), TPPs are allowed to ask their regulator to allow them to use the customer interface – effectively using a form of data scraping. The TPPs would need certain controls in place where they use the dedicated interface. The dedicated interface is also likely to need some changes to enable it to be used in these cases. There will also be exemptions for certain account providers from needing to allow access to TPP or which would enable those account providers to provide access via their customer interfaces. These will be set out in a later RTS.

Account Information Service Providers (AISPs) will be able to access ongoing data after a first SCA was applied by the customer without having to refresh with the account provider. After 180 days the AISP must obtain a new SCA from the customer, but one it can manage itself. The UK has already implemented relaxations to SCA refresh in these situations.

The PSR requires new customer dashboards to be provided in the customer's banking interface that enables TPP access rights to be controlled. The UK Open Banking standards already requires these types of dashboards. The detail may be different, but the policy intention is the same.

The PSR also contains detail on what will amount to an obstacle for TPP access. These were previously set out in EBA Opinion. This makes these elements more definitively outlawed. More responsibility is placed on regulators to enforce where TPPs access rights are being hindered.

The PSR contains new rules relating to mandates between a customer and a payee. Separately, authorisation of a payment needs to comply with Article 49, which envisages both an authorisation of a single payment, as well as a series of payments. Payments that are considered payee initiated have been extended. The combined effect of the new rules may well permit PISP authorisation of a series of payment transactions and we believe there may be scope of the new rules to enable Variable Recurring Payments (VRP). This could impact whether PISPs can be required to sign separate agreements with account providers to access "premium APIs" permitting VRPs. Although the Recitals to the PSR suggest this could remain possible, the widening of the scope of payments authorisations could create some doubt over this position in the EU. That would have significant commercial impacts for the UK.

The definition is similar and continues to categorise authentication elements into knowledge, possession and inherence. The two required elements no longer need to be in separate categories. Provided that they are technically independent. There is a need to have multiple SCA solutions, including ones for customers with disabilities and lower technology skills. There is also more leeway for card payments and other payee initiated payments – to make it clearer where SCA is not required. Exemptions from SCA will be designed by the EBA in an RTS.

The definition is similar and continues to categorise authentication elements into knowledge, possession and inherence. The two required elements no longer need to be in separate categories. Provided that they are technically independent. There is a need to have multiple SCA solutions, including ones for customers with disabilities and lower technology skills. There is also more leeway for card payments and other payee initiated payments – to make it clearer where SCA is not required. Exemptions from SCA will be designed by the EBA in an RTS.

The new requirements do not go as far as the UK mandatory reimbursement model. However, the PSR does expand the existing liability of PSPs where a customer was manipulated by a person pretending to be an employee of the PSP – using name, email address or telephone number of the PSP unlawfully. There seems to be an attempt at placing some responsibility on electronic communications service providers to assist PSPs to stop the use of their communications by fraudsters.

A PSP will also be liable where it does not apply SCA, even if this is due to it using a permitted exemption. There will be a claw back from the payee (or payee's PSP) if either of them failed to develop the technology to apply SCA. There is an attempt at making payment scheme operators or technical services providers liable if they fail to enable PSPs to apply SCA. However, this is limited to being "within the remit of their contractual relationship", making it unclear whether the allocation of liability to a payee or its PSP could be excluded contractually.

There is an ability to delay refunds by up to 10 days where there are pending investigations due to reasonable grounds to suspect fraud or gross negligence by a customer. This is longer than the UK is proposing to implement.

There are provisions aiming to facilitate fraud data sharing arrangements between PSPs. There are also requirements for annual staff training on fraud scenarios and for alerts for customers of new forms of fraud via "all appropriate means and media".

There has been concern about the processing of customer personal data for the purposes of biometric based SCA requirements. The PSR contains a provision that provides clarity that it is compliant to process special category data to the extent necessary for the provisions of payment services and to comply with PSRs obligations. This is subject to specific safeguards around data usage and training.

Definitions that deserve a closer look and could have wider implications on processes would be:

• Initiation of a payment order – steps necessary to prepare the execution of a payment transaction, including placement of payment order and completion of authentication process;
• Execution of payment transaction – process starting once the initiation of transaction is completed and ending once the funds … are available to the payee;
• Payment account – allows for sending and receiving funds to and from third parties;
• Mandate – expression of authorisation given by the payer to the payee;
• Payment instrument – "individualised device" or set of procedures;
• Reference interest rate – must be capable of being verified by both parties;
• Business day – "open for business to execute payment transactions".

PIs, EMIs, as well as their agents and distributors have a right to obtain payment accounts. A bank will no longer need to notify the regulator if it refuses an account to these institutions, but these institutions be able to appeal to the regulator if they are refused. Firms will have the following narrower set of reasons to refuse an account:

• serious grounds for suspecting defective money laundering or terrorism financing controls or illegal activities by the PI or its customers;
• breach of contract by applicant;
• insufficient information/documentation provided by applicant;
• applicant or business model presents excessive risk profile;
• disproportionately high compliance cost for the bank.

The refusal notification will be standardised and the requirements for this set out in an RTS.

As with all proposals, the devil will be in the detail, but key additional changes that would result in significant process changes are these:

• there would be a restriction from automatically increasing spending limits associated with a payment instrument;
• a customer would need to be able to prove any notifications it made to the PSP (eg about a compromised card) for 18 months. This suggests some form of log that a customer can access;
• there are more express rules relating to blocking funds in relation to future card transactions.

• The inclusion of EMIs within the framework for payment services would mean the commercial agents' exemption is now available in relation to e-money activities.
• There is a new exclusion for cash services provided in retail stores. The UK has already implemented something similar. However, the PSD3 suggests that these providers would still be caught by AML controls. This could have implications for the UK regime.
• There is a slight narrowing of exemption for the Limited Network Exclusion. Instruments can only be used in a "single limited network". EBA Regulatory Technical Standards are to specify the conditions for this exemption (building on the existing Guidelines).
• There is a narrowing of the commercial agent exemption – as there will need to be a "real margin to negotiate with the commercial agent or conclude the sale or purchase of goods or services" and there will be an express linkage to "commercial agents" as defined and covered by the separate EU commercial agents regulations. The EBA will issue Guidelines on the commercial agents' exemption, which no doubt will attempt to provide a restrictive interpretation on this exemption. This is likely to have significant impacts on a wider range of marketplace activities. The UK interpretation is already more expansive than many EU member states, so it is not clear whether the UK would also be keen to see the exemption narrowed.
• There is a new definition of electronic money services: which captures the issuance, maintenance of payment accounts storing EM units, and the transfer of EM units. This could have implications for how activities would be classified.

There will be more detailed provisions on authorisation applications. This is an attempt to even up the standards between member states, including the assessment criteria. Annual on-site and off-site checks of agents and distributors will be expected to be demonstrated as part of the authorisation process.

ATM providers will need to register with the regulator, although the majority of the requirements will not apply to them.

Member states will be free to require a firm to have its registered office in its member state as a condition of authorisation there (which would then mean it would need its head office there too). Part of the payment services carried on must be in the member state where the firm is applying to be authorised, but it does not need to be the majority of its payment services activity.

There will be increases to some of the minimum initial capital levels. An EBA RTS is expected on some elements of the calculation and on the broader safeguarding approaches, including around segregation and reconciliation. A PSP should endeavour not to safeguard with only one credit institution.

There are some typos in the original draft proposal. It is not clear if there is to be an additional requirement to obtain an annual audit opinion on the £1million values or whether this is an error in the drafting.